Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow nuking accounts with prod substring, if you wish #1224

Closed
wants to merge 1 commit into from
Closed

allow nuking accounts with prod substring, if you wish #1224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 14 additions & 11 deletions pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,15 @@ type Account struct {

type Nuke struct {
// Deprecated: Use AccountBlocklist instead.
AccountBlacklist []string `yaml:"account-blacklist"`
AccountBlocklist []string `yaml:"account-blocklist"`
Regions []string `yaml:"regions"`
Accounts map[string]Account `yaml:"accounts"`
ResourceTypes ResourceTypes `yaml:"resource-types"`
Presets map[string]PresetDefinitions `yaml:"presets"`
FeatureFlags FeatureFlags `yaml:"feature-flags"`
CustomEndpoints CustomEndpoints `yaml:"endpoints"`
AccountBlacklist []string `yaml:"account-blacklist"`
AccountBlocklist []string `yaml:"account-blocklist"`
Regions []string `yaml:"regions"`
Accounts map[string]Account `yaml:"accounts"`
ResourceTypes ResourceTypes `yaml:"resource-types"`
Presets map[string]PresetDefinitions `yaml:"presets"`
FeatureFlags FeatureFlags `yaml:"feature-flags"`
CustomEndpoints CustomEndpoints `yaml:"endpoints"`
DeniedAccountAliasSubStrings []string `yaml:"denied_account_alias_sub_strings"`
}

type FeatureFlags struct {
Expand Down Expand Up @@ -136,9 +137,11 @@ func (c *Nuke) ValidateAccount(accountID string, aliases []string) error {
}

for _, alias := range aliases {
if strings.Contains(strings.ToLower(alias), "prod") {
return fmt.Errorf("You are trying to nuke an account with the alias '%s', "+
"but it has the substring 'prod' in it. Aborting.", alias)
for _, subString := range c.DeniedAccountAliasSubStrings {
if strings.Contains(strings.ToLower(alias), subString) {
return fmt.Errorf("You are trying to nuke an account with the alias '%s', "+
"but it has the substring '%s' in it. Aborting.", alias, subString)
}
}
}

Expand Down
19 changes: 16 additions & 3 deletions pkg/config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func TestLoadExampleConfig(t *testing.T) {
}

expect := Nuke{
AccountBlocklist: []string{"1234567890"},
AccountBlocklist: []string{"1234567890", "123455566", "123455577"},
Regions: []string{"eu-west-1", "stratoscale"},
Accounts: map[string]Account{
"555133742": {
Expand All @@ -69,6 +69,8 @@ func TestLoadExampleConfig(t *testing.T) {
Targets: types.Collection{"S3Bucket"},
},
},
"123455588": {},
"123455599": {},
},
ResourceTypes: ResourceTypes{
Targets: types.Collection{"DynamoDBTable", "S3Bucket", "S3Object"},
Expand Down Expand Up @@ -212,9 +214,20 @@ func TestConfigValidation(t *testing.T) {
{ID: "555133742", Aliases: []string{"staging"}, ShouldFail: false},
{ID: "1234567890", Aliases: []string{"staging"}, ShouldFail: true},
{ID: "1111111111", Aliases: []string{"staging"}, ShouldFail: true},
{ID: "555133742", Aliases: []string{"production"}, ShouldFail: true},
{ID: "555133742", Aliases: []string{"production"}, ShouldFail: false},
{ID: "555133742", Aliases: []string{}, ShouldFail: true},
{ID: "555133742", Aliases: []string{"staging", "prod"}, ShouldFail: true},
{ID: "555133742", Aliases: []string{"staging", "prod"}, ShouldFail: false},
// Production accounts in blocklist
{ID: "123455566", Aliases: []string{"staging", "prod"}, ShouldFail: true},
{ID: "123455577", Aliases: []string{"production"}, ShouldFail: true},
// Production accounts not in blocklist
{ID: "123455588", Aliases: []string{"staging", "prod"}, ShouldFail: false},
{ID: "123455599", Aliases: []string{"production"}, ShouldFail: false},
// Production account in blocklist and not added to accounts
{ID: "123457755", Aliases: []string{"staging", "prod"}, ShouldFail: true},
{ID: "123457788", Aliases: []string{"production"}, ShouldFail: true},
// Denied account alias substrings
{ID: "123432223", Aliases: []string{"some-accont-with-my-denied-sub-string-oh-yeah"}, ShouldFail: true},
}

for i, tc := range cases {
Expand Down
9 changes: 9 additions & 0 deletions pkg/config/test-fixtures/example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ regions:

account-blocklist:
- 1234567890
- 123455566
- 123455577

endpoints:
- region: stratoscale
Expand All @@ -24,6 +26,9 @@ resource-types:
excludes:
- IAMRole

denied_account_alias_sub_strings:
- "my-denied-sub-string"

accounts:
555133742:
presets:
Expand All @@ -36,6 +41,10 @@ accounts:
- "uber.admin"
IAMRolePolicyAttachment:
- "uber.admin -> AdministratorAccess"
123455588: {}
123455599: {}
# Account that should be denied because of denied_account_alias_sub_strings
123432223: {}

presets:
terraform:
Expand Down